1. 閱讀文章分享@若渴
2016.1.24
<ajblane0612@gmail.com>
AJMachine
https://cve4fun.hackpad.com/

2. 關注動態方式
• 閱讀文章我先找出
• 有沒有fb粉專
• 有沒有YouTube訂閱
• Twitter
• FB其實蠻好用的
• 粉專->點讚->搶先看
• 每天打開fb看的都是關於資安的新聞
• 分享至自己動態，告知自己要看什麼

3. SMI到底是軟還是硬呢XD?可軟可硬
• SMM code completely unaccessible from OS and OS can’t even notice
when exactly SMI is being executed. There’s a several ways to
generate SMI:
• Ring 0 code can trigger software SMI at any time by writing some byte value
to APMC I/O port B2h.
• Internal chipset registers (SMI_EN, GEN_PMCON_1 and others) that
accessible via PCI config space allows to enable or disable different kind of
hardware SMI sources.
• You can route hardware interrupts into SMM by reconfiguring of advanced
programmable interrupt controller (APIC) that integrated into CPU.
• I/O instruction restart CPU feature (chapter 34.12 of IA-32 Architectures
Software Developer’s Manual) allows to generate SMI on any I/O port access
by IN or OUT processor instruction.
節錄Building reliable SMM backdoor for UEFI based platforms

4. Outline
•The memory sinkhole
•Undefined behavior: what happed to my code
•The impact of GPU-assisted malware on memory
forensics: a case study
•SLOTH
•ATM
HTTPS bicycle attack

5. The Memory Sinkhole
• In Intel, Ring 3 – Userland, Ring 0 – Kernel, Ring-1 - Hypervisor, Ring-2 –
SMM has the firmware, all the most critical security checks
• SMM hides from Ring 0
• System Management RAM (SMRAM) is only accessible to SMM
• SMM handler
• System Management Interrupt (SMI) toggles SMM
• SMM handler
• 抓DSC structure(Global Descriptor Table, Segment selectors,..)來對此結構初始化
• Attack技巧
• 使用APIC remap，把APIC payload (都為0)對應至DSC structure (SMRAM)
• 經過SMM handler執行完會跳至0x10:0x8077的位置去執行。

6. SMM Security
節錄The Memory Sinkhole : An architectural privilege escalation vulnerability

7. The APIC Remap Attack
節錄The Memory Sinkhole : An architectural
privilege escalation vulnerability

8. 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability

9. Undefined Behavior: What Happed to my
Code
• Undefined behavior
• Null Pointer Dereference
• Oversize Shit
• Singed Integer Overflow
• Out-of-Bounds Pointer
• Type-Punned Point Deference
• Uninitialized Read
• 程式碼的行為在C規格書上沒有定義，而c沒有定義的行為，各個
compiler會有不同狀況的處理，有可能把code移除，造成跟預期
結果不一樣，產生漏洞主角: compiler。= =||

10. Out-of-Bounds Pointer
• 指標的加減是Undefined behavior，所以要來看compiler會做什麼事，
如下code
• end < buf 會被Clang轉成
• buf + size < buf
• size < 0
• 之後它會刪除if (end < buf) { ... } 整個branch ，原本要避免Singed Integer Overflow
(!!)

11. Type-Punned Point Deference
• C有嚴格限制aliasing(兩個指標指向同一個記憶體做存取)，但你往
往會aliasing導致undefined behavior，此行為會導致compiler沒辦
法最佳化
• 使用C的union，告知compiler我們是
一樣的，如以下code
節錄http://stackoverflow.com/questions/98650/what-is-the-strict-aliasing-rule

12. PIC/GSM Address Space Layout on Intel
Haswell
• PIC bus for GPU or DMA
• CPU view
• MMIO有一部分保留給PIC bus
• DRAM view
• MMIO記憶體範圍是看不到的，所以就看不到PIC bus
• Intel解法
• 在CPU view上設定位置TOLUD至4GB給MMIO，所以DRAM view
就可以看到相同的位置空間。
• Graphic Stolen Memory (GSM)
• CPU view大部分不能存取的，有GTT部分可以存取。
• 組成
• Graphics Translation Tables (GTT) : 告知GPU virtual-to-physical
可由BIOS階段設定
• Data Range (programming space)

13. The Impact of GPU-assisted Malware on
Memory Forensics: a Case Study
• 建立buffer object 在Graphics Execution Manage (GEM) subsystem(不
在GSM裡)，可被CPU和GPU domains看到，使用不同的virtual
address
• OS page table
• graphic page table
• 攻擊手法
• GPU修改在GSM的graphic page table，原本對應 buffer object但可經由修
改存取到CPU使用memory的資料。

14. 只是想了解為什麼hash collision跟TLS有關
SLOTH(CVE-2015-7575)
源自Transcript Collision Attacks:
Breaking Authentication in TLS, IKE, and SSH

15. Client 認證可過，代表MitMA可以假
裝Client C

16. Tyupkin ATM
malware in the ATM

17. 你知道台灣人怎做嗎?